Legal

Privacy Policy

Last updated: April 17, 2025

1. Introduction

Khayrat ("we", "our", or "us") is an Islamic practice tracker that helps Muslims record their daily Quran reading, fasting, and Qiyam, and compete with one another in leaderboards and arenas. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have over it.

By using Khayrat — whether through our website or mobile application — you agree to the practices described in this policy.

2. Data We Collect

We collect only what is necessary to provide the service:

  • Account information: your email address and password (stored as a secure hash), used for authentication.
  • Profile information: username, first name, last name, country, city, age, and gender — provided voluntarily to personalise your public profile.
  • Activity data: daily logs of Quran pages read, fasting days, and Qiyam sessions that you submit within the app.
  • Arena & social data: arenas you create or join, messages posted in arena chats, and invitation activity.
  • Technical data: basic request metadata (IP address, browser/device type, timestamps) collected automatically by our hosting infrastructure for security and performance.

We do not collect payment information, location beyond country/city, or any biometric data.

3. How We Use Your Data

  • To create and manage your account and authenticate you securely.
  • To calculate leaderboard scores and display rankings.
  • To power arena features including group progress and chat.
  • To send transactional notifications (e.g., arena invitations) where you have opted in.
  • To detect and prevent abuse or fraudulent activity.
  • To improve the service through anonymised, aggregated usage analysis.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Legal Basis for Processing

If you are in the European Economic Area (EEA) or United Kingdom, we process your data under the following lawful bases:

  • Contract: processing necessary to provide the service you signed up for.
  • Legitimate interests: security monitoring and aggregate analytics.
  • Consent: optional notifications, which you can withdraw at any time.

5. Data Sharing

We share data only with the sub-processors necessary to operate the service:

  • Supabase, Inc. — our database and authentication provider, which stores all user data in a PostgreSQL database hosted on AWS. Supabase is SOC 2 Type II certified.
  • Vercel, Inc. — our web hosting provider. Edge request logs are retained for a short period for debugging.
  • Apple / Google — for mobile app distribution. Your app store account is governed by their respective privacy policies.

We may also disclose information if required by law, court order, or to protect the rights or safety of our users.

6. Public Information

Your username, country, and aggregated activity statistics (total points, consistency percentage, active days) are visible to other users on leaderboards and inside arenas you join. Arena chat messages are visible to all members of that arena. You can choose a pseudonymous username to limit identifiability.

7. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law or legitimate business interests (e.g., fraud prevention records).

8. Your Rights

Depending on your jurisdiction you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data via your account settings.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for notifications at any time.

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

9. Children's Privacy

Khayrat is not directed at children under 13. We do not knowingly collect personal data from anyone under 13 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Security

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, and row-level security policies in our database. No system is completely secure; in the event of a data breach affecting your rights we will notify you as required by applicable law.

11. Cookies & Tracking

Our website uses a single authentication cookie (a signed JWT) set by Supabase to keep you logged in. We do not use advertising cookies or third-party tracking pixels. Basic analytics are processed server-side and do not set cookies.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or in-app message. Continued use of Khayrat after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact:

Khayrat

Email: david.thanoon@gmail.com